Sponsors

CCleaner Tool Hacked and Users May Have Been Compromised

There are over two billion users who recently downloaded the CCleaner tool to eliminate unwanted files and keep their computers safe. However, Piriform, the company that developed the tool, announced on Sept. 18 that its servers were hacked and attackers modified the tool using a backdoor that could have infected the users.

Avast spokesperson said the company believes around 2.27 million users using 32-bit Windows machines had been infected by the affected software. The spokesperson went on to say that an investigation into the problem ensued and they were able to neutralize the threat before harm was done.

Avast, which attained Piriform back in July, did an analysis of the attack. Piriform reached out to law enforcement, turn the infected download server off and updated its software to the 5.34 version.

Piriform Vice President of Products Paul Young said the suspicious activity was found on Sept. 12, 2017, where an unknown IP address was getting information from software attached to the CCleaner version 5.33.6162 as well as the CCleaner Cloud 1.07.3191 version on 32-bit Windows systems. He said a further investigation found that the versions have been modified before its public release.

Piriform said the attack involved a two-stage backdoor, which is skilled at getting and running code from the attacker’s server.

Yung said the company doesn’t want to speculate on how the code was inputted into CCleaner software, where the attack came from, how long it took to create and who is behind it.

According to Cisco Talos research group, it reported the problem to Avast on Sept. 13 while doing a customer beta testing of new exploit detection technology. Cisco’s analysis of the intrusion found that the infected CCleaner version was released Aug. 15. This means a month of exposure for CCleaner users.

No ideas have been given to how the attackers were able to alter the code that added in the backdoor code, but researchers at Cisco Talos said they could have been able to do it through a compromised developer account that allowed them access to exploit the system.